at the moment we are using privacyIDEA for SSH Key Management, for 2FA (VPN provieded by Watchguard Firewall) we have a Vasco Identikey Server. Now I’m checking if the Vasco server can replaced by privacyIDEA.The Watchguard appliance use radius for authentification.
The radius authentification with privacyIDEA is working without any problems. The problem is, that I need all groups of the user on the Watchguard Appliance. This is possible with the radius attribute “Filter-ID”, see: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_ext_auth_server_config.html
So, the privacyIDEA “LDAP Resolver” syncs all groups of a user with the configuration “Attribute mit mehreren Werten”: [“group”]
The file /etc/privacyidea/rlm_perl.ini looks like this:
[Attribute Filter-Id] dir = user userAttribute = group regex = cn=(.*),ou=Groups,dc=mycompany,dc=de prefix = suffix =
Now the response contains the Filter-ID attribute, but only last group of the user, not all. The repsonse looks like:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=118, length=210 Filter-Id = "SSLVPN-Extern" ... Reply-Message = "privacyIDEA access granted"
The response from the vasco server looks like:
rad_recv: Access-Accept packet from host xxx port 1812, id=206, length=68 Filter-Id = "SSLVPN-Intern" Filter-Id = "SSLVPN-Extern" ...
It’s possible to receive all user groups in the privacyIDEA radius response?